Dear All,
Thanks for all of your replies. Maybe I further elaborate my problem.
I would like to use Splunk to replace the log aggregation feature that I am now using in ArcSight.
Below is the example of the log aggregation in Arcsight
In ArcSight, multiple fields were selected as the aggregated items which are "src_ip", "dst_ip" and "attack_name".
Once there is an attack log from the device. For example,
src_ip=1.1.1.1 dst=2.2.2.2 attack_name=brute_force
The arcsight will trigger an alert and send an email notification
When there is an other attack log with the same "src_ip", "dst_ip" and "attack_name"
src_ip=1.1.1.1 dst=2.2.2.2 attack_name=brute_force
The arcsight WILL NOT trigger any alert and email notification
But if one or more of the fields in the attack log are different.
A new alert and email notification will be triggered .
Can I build the similar logic in Splunk?
Many thanks
Victor
... View more